> True, I missed out TOFU. I would argue, though, that TOFU gives you a weaker > guarante: authentication *as long as the first message was not tampered with*.
It's certainly a weaker guarantee, yes. But it gives a level of bootstrapping that can later be verified, which is better than no storage at all / exchanging keys each time for example. > TOFU systems also require careful design to achieve the properties you > describe vis-a-vis MITM. In particular, while all encrypted messaging systems > require a way to roll over the key, they must not support a "set session key > to X" message, or similar, or the adversary can use it to switch from active > mode to passive mode. This is not as trivial as it sounds -- I think SSL > reauthentication lets you do exactly this. Very true, and interesting points. As an attacker you could then hide the fact that you have been attacking by switching keys, but it would sacrifice interception ability from that point onwards, and would require you to pick a reliable point in time to perform the switch. (i.e. you'd need to know the reliability and availability of your MITM attack) > Otherwise, I agree with what you've said. =) _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
